<html>
<head><meta charset="utf-8"><title>Threshold for &quot;vulnerability&quot; · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html">Threshold for &quot;vulnerability&quot;</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="170977616"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170977616" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170977616">(Jul 16 2019 at 11:49)</a>:</h4>
<p>What is the threshold for something to be considered a "vulnerability" for <a href="https://github.com/RustSec/advisory-db/blob/master/CONTRIBUTING.md" target="_blank" title="https://github.com/RustSec/advisory-db/blob/master/CONTRIBUTING.md">https://github.com/RustSec/advisory-db/blob/master/CONTRIBUTING.md</a> ? (And I hope I am asking in the right stream here.)<br>
<a href="https://crates.io/crates/memoffset" target="_blank" title="https://crates.io/crates/memoffset">https://crates.io/crates/memoffset</a> versions before 0.5 have a critical soundness bug, so it would be good to migrate away and update to 0.5. However, except for version 0.3 and 0.4, there are no known problems that were caused by this pattern. What is the best way to proceed?</p>



<a name="170977978"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170977978" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170977978">(Jul 16 2019 at 11:54)</a>:</h4>
<p>Soundness meaning you can extract multiple <code>&amp;mut</code> references or something?</p>
<p>I think any time you've got the possibility for memory unsafety using only safe APIs that's fair game</p>



<a name="170980684"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170980684" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170980684">(Jul 16 2019 at 12:30)</a>:</h4>
<p>it called <code>mem::uninitialized</code> on arbitrary types</p>



<a name="170980701"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170980701" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170980701">(Jul 16 2019 at 12:31)</a>:</h4>
<p>for most recent compiler versions, that will just panic on uninhabited types, and it is not known to cause problems with inhabited types like <code>bool</code> even though it is UB</p>



<a name="170980733"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170980733" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170980733">(Jul 16 2019 at 12:31)</a>:</h4>
<p>for older compiler versions that do not have this panic yet (I dont recall when it got added), LLVM might do whatever</p>



<a name="170980980"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170980980" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170980980">(Jul 16 2019 at 12:35)</a>:</h4>
<p>Can I get it to call <code>mem::uninitialized</code> with a type that implements <code>Drop</code>, thereby almost certainly causing mayhem? Because that surely seems like it'd qualify.</p>



<a name="170981004"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170981004" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170981004">(Jul 16 2019 at 12:35)</a>:</h4>
<p>I think it did <code>mem::forget</code> but let me check</p>



<a name="170981059"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170981059" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170981059">(Jul 16 2019 at 12:36)</a>:</h4>
<p>but note that <code>let b: bool = mem::uninitialized()</code> is insta-UB, drop really is not needed to cause mayhem <em>in theory</em></p>



<a name="170981092"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170981092" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170981092">(Jul 16 2019 at 12:37)</a>:</h4>
<p>Ah, so not a totally straight forward instance of memory unsafety.</p>
<p>I'm not in charge or anything, but I suppose it qualifies (though I tend to be less excited about these than other vuln types.)</p>



<a name="170981200"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170981200" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170981200">(Jul 16 2019 at 12:38)</a>:</h4>
<p>yeah as I said, except for 0.3 and 0.4 there is no known way to cause an actual miscompilation with recent rustc</p>



<a name="170981241"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170981241" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170981241">(Jul 16 2019 at 12:39)</a>:</h4>
<p>Maybe start with an advisory just for 0.3 and 0.4 then?</p>



<a name="170981263"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170981263" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170981263">(Jul 16 2019 at 12:39)</a>:</h4>
<p>they were only out very briefly and have no resverse deps so I am wondering if its worth it^^</p>



<a name="170981321"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170981321" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170981321">(Jul 16 2019 at 12:40)</a>:</h4>
<p>actually I am wrong they have reverse deps</p>



<a name="170981324"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170981324" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170981324">(Jul 16 2019 at 12:40)</a>:</h4>
<p>okay so I'll start with that</p>



<a name="170981541"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170981541" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170981541">(Jul 16 2019 at 12:43)</a>:</h4>
<p>It's also always possible for them to have users who aren't other crates</p>



<a name="170987637"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170987637" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170987637">(Jul 16 2019 at 13:52)</a>:</h4>
<p>fair</p>



<a name="170988063"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/170988063" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#170988063">(Jul 16 2019 at 13:56)</a>:</h4>
<p>seems good to me</p>



<a name="171113814"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171113814" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171113814">(Jul 17 2019 at 20:17)</a>:</h4>
<p>if something can panic while holding on to <code>mem::uninitialized()</code>, that's exploitable. See <a href="https://github.com/RustSec/advisory-db/blob/master/crates/libflate/RUSTSEC-2019-0010.toml" target="_blank" title="https://github.com/RustSec/advisory-db/blob/master/crates/libflate/RUSTSEC-2019-0010.toml">https://github.com/RustSec/advisory-db/blob/master/crates/libflate/RUSTSEC-2019-0010.toml</a> for example</p>



<a name="171113930"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171113930" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171113930">(Jul 17 2019 at 20:18)</a>:</h4>
<p><a href="https://rustsec.org/advisories/RUSTSEC-2019-0011.html" target="_blank" title="https://rustsec.org/advisories/RUSTSEC-2019-0011.html">https://rustsec.org/advisories/RUSTSEC-2019-0011.html</a></p>



<a name="171114086"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171114086" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171114086">(Jul 17 2019 at 20:20)</a>:</h4>
<p><a href="https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505472124" target="_blank" title="https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505472124">https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505472124</a> - wait, isn't this memory disclosure?</p>



<a name="171114286"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171114286" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171114286">(Jul 17 2019 at 20:23)</a>:</h4>
<p>sounds like it</p>



<a name="171119188"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171119188" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171119188">(Jul 17 2019 at 21:28)</a>:</h4>
<p>It should be mentioned into the advisory then</p>



<a name="171188164"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171188164" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171188164">(Jul 18 2019 at 16:49)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> yeah, definitely</p>



<a name="171188172"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171188172" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171188172">(Jul 18 2019 at 16:49)</a>:</h4>
<p>do you want to add it or should I?</p>



<a name="171193881"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171193881" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171193881">(Jul 18 2019 at 17:58)</a>:</h4>
<p>Best if you do it, I'll try to handle the other smallvec vuln in the meanwhile</p>



<a name="171194144"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171194144" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171194144">(Jul 18 2019 at 18:01)</a>:</h4>
<p>so I linked that to Patrick Walton and he was questioning it... I'm not sure I'm confident enough to say anything definitive in the advisory</p>



<a name="171194160"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171194160" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171194160">(Jul 18 2019 at 18:01)</a>:</h4>
<p>I guess we can just bug <span class="user-mention" data-user-id="120791">@RalfJ</span> directly <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="171194179"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171194179" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171194179">(Jul 18 2019 at 18:02)</a>:</h4>
<p>Neither am I ¯\_(ツ)_/¯</p>



<a name="171235870"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171235870" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171235870">(Jul 19 2019 at 07:24)</a>:</h4>
<p>well it's a bug leading to an incorrect offset being returned</p>



<a name="171235881"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171235881" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171235881">(Jul 19 2019 at 07:24)</a>:</h4>
<p>depending on how the offset gets <em>used</em> it could indeed lead to arbitrary OOB memory accesses</p>



<a name="171235956"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171235956" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171235956">(Jul 19 2019 at 07:26)</a>:</h4>
<blockquote>
<p>if something can panic while holding on to <code>mem::uninitialized()</code>, that's exploitable. See <a href="https://github.com/RustSec/advisory-db/blob/master/crates/libflate/RUSTSEC-2019-0010.toml" target="_blank" title="https://github.com/RustSec/advisory-db/blob/master/crates/libflate/RUSTSEC-2019-0010.toml">https://github.com/RustSec/advisory-db/blob/master/crates/libflate/RUSTSEC-2019-0010.toml</a> for example</p>
</blockquote>
<p>I see. And indeed together with the other bug, there <em>could</em> be arbitrary user code being executed (as part of the deref coercion, which I had entirely forgotten about) and if that panics that does lead to dropping a <code>mem::uninitialized</code>.</p>



<a name="171235965"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171235965" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171235965">(Jul 19 2019 at 07:26)</a>:</h4>
<p>this affects <em>all</em> versions before 0.5</p>



<a name="171235968"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171235968" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171235968">(Jul 19 2019 at 07:26)</a>:</h4>
<p>so should the advisory be updated for this?</p>



<a name="171269288"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171269288" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171269288">(Jul 19 2019 at 15:55)</a>:</h4>
<p>I think so but I would prefer someone who understands the exact exploitation path do the writeup <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="171274737"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171274737" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171274737">(Jul 19 2019 at 17:06)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> Arbitrary OOB memory access is a Big Deal. This definitely needs to go into the advisory.</p>



<a name="171322692"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171322692" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171322692">(Jul 20 2019 at 10:53)</a>:</h4>
<p>absolutely, I just was not sure if this should be a new advisory or an update. I will then make it an update.</p>



<a name="171322822"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171322822" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171322822">(Jul 20 2019 at 10:57)</a>:</h4>
<p>submitted update: <a href="https://github.com/RustSec/advisory-db/pull/129" target="_blank" title="https://github.com/RustSec/advisory-db/pull/129">https://github.com/RustSec/advisory-db/pull/129</a></p>



<a name="171327420"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171327420" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171327420">(Jul 20 2019 at 13:24)</a>:</h4>
<p>The interesting question is, what do we do about the vulnerable versions with no semver-compatible upgrade path? Is it possible to backport the fixes, or do we need to yank all versions of every single crate that depends on a vulnerable version?</p>



<a name="171327539"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171327539" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171327539">(Jul 20 2019 at 13:28)</a>:</h4>
<p>there is no semver-compatible upgrade path</p>



<a name="171327550"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171327550" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171327550">(Jul 20 2019 at 13:29)</a>:</h4>
<p>fixing the potential panic during the computation requires ruling out deref coercions, and the only known way to do that only works for testing a field of a type. the old versions of the crate allowed things like <code>offset_of!(Type, field[3].subfield)</code>. We dont know how to statically or dynamically rule out deref coercions for such a macro.</p>



<a name="171327601"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171327601" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171327601">(Jul 20 2019 at 13:30)</a>:</h4>
<p>however, when a crate only uses <code>offset_of!</code> internally and does not actually use it in a way that would cause a deref coercion, there is no reason to yank that crate</p>



<a name="171327608"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171327608" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171327608">(Jul 20 2019 at 13:30)</a>:</h4>
<p>(unless it used version 0.3 or 0.4 which can cause SIGILL)</p>



<a name="171328279"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171328279" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171328279">(Jul 20 2019 at 13:52)</a>:</h4>
<p>Well, we can at least enumerate the crates that depend on old versions. Thanks to <span class="user-mention" data-user-id="132723">@Zach Reizner</span> for <a href="https://gitlab.com/zachreizner/crates-audit" target="_blank" title="https://gitlab.com/zachreizner/crates-audit">https://gitlab.com/zachreizner/crates-audit</a></p>



<a name="171328370"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171328370" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171328370">(Jul 20 2019 at 13:55)</a>:</h4>
<p>Is there an online summary of this? Just sending PRs to resolve the highest impact ones would be a valuable way for people to contribute to ecosystem security.</p>



<a name="171328431"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171328431" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171328431">(Jul 20 2019 at 13:56)</a>:</h4>
<p>do you mean <a href="https://crates.io/crates/memoffset/reverse_dependencies" target="_blank" title="https://crates.io/crates/memoffset/reverse_dependencies">https://crates.io/crates/memoffset/reverse_dependencies</a> ?</p>



<a name="171328445"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171328445" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171328445">(Jul 20 2019 at 13:57)</a>:</h4>
<p>I took care of the three most-downloaded ones in that list</p>



<a name="171328503"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171328503" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171328503">(Jul 20 2019 at 13:58)</a>:</h4>
<blockquote>
<p>Well, we can at least enumerate the crates that depend on old versions. Thanks to <span class="user-mention silent" data-user-id="132723">Zach Reizner</span> for <a href="https://gitlab.com/zachreizner/crates-audit" target="_blank" title="https://gitlab.com/zachreizner/crates-audit">https://gitlab.com/zachreizner/crates-audit</a></p>
</blockquote>
<p>what does that do? the repo doesn't explain anything...</p>



<a name="171328622"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171328622" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171328622">(Jul 20 2019 at 14:01)</a>:</h4>
<p>It analyzes all of <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> and finds packages which depend on a package which has a rustsec vuln</p>



<a name="171328757"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171328757" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171328757">(Jul 20 2019 at 14:05)</a>:</h4>
<p>The interesting part is that it does so transitively. So you can look up all the leaf crates affected by a vulnerability.<br>
It currently only detects cases without a semver-compatible upgrade path.</p>



<a name="171330075"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171330075" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171330075">(Jul 20 2019 at 14:45)</a>:</h4>
<p>I see, interesting. I basically sued the download numbers as a proxy for "is this in the transitive chain of something widely used".</p>



<a name="171332357"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171332357" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171332357">(Jul 20 2019 at 15:51)</a>:</h4>
<p>crates-audit is running here: <a href="https://crates.rustsec.org/" target="_blank" title="https://crates.rustsec.org/">https://crates.rustsec.org/</a></p>



<a name="171332359"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171332359" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171332359">(Jul 20 2019 at 15:51)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> your update looks good. should it specifically call out potential memory exposure and/or RCE?</p>



<a name="171333886"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171333886" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171333886">(Jul 20 2019 at 16:36)</a>:</h4>
<p>made a note of that on the PR</p>



<a name="171335111"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171335111" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171335111">(Jul 20 2019 at 17:14)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> re: upgrade path for vulnerable versions and semver compat, someone with the same question <a href="https://twitter.com/DPC_22/status/1152623528442773505" target="_blank" title="https://twitter.com/DPC_22/status/1152623528442773505">https://twitter.com/DPC_22/status/1152623528442773505</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/DPC_22/status/1152623528442773505" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/1009416360630345728/Uy0WI9V4_normal.jpg"></a><p><a href="https://twitter.com/bascule" target="_blank" title="https://twitter.com/bascule">@bascule</a> <a href="https://twitter.com/rustlang" target="_blank" title="https://twitter.com/rustlang">@rustlang</a> We are facing a dilemma as crate authors as replacing it in a minor release would mean bumping the msvr to 1.36.0 which would break the crate on older compilers and updating it in a major means people who have to manually update it</p><span>- ໓ฯlคຖ ໓p¢ (@DPC_22)</span></div></div>



<a name="171335368"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171335368" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171335368">(Jul 20 2019 at 17:23)</a>:</h4>
<p>Re: twitter complaint: they need a third option. Backport something somewhere - extract stdlib function into their crate or some such. I wouldn't worry about MSRV 1.32 but if it's 1.36 that's too extreme. And if it's not fixable that way... well, rewrite the code to be slower but actually safe.</p>



<a name="171335417"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171335417" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171335417">(Jul 20 2019 at 17:24)</a>:</h4>
<p>I don't have twitter so can't comment in there</p>



<a name="171335919"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171335919" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171335919">(Jul 20 2019 at 17:40)</a>:</h4>
<p>Oh, regarding uninitialized memory and panic, there was this exact problem in libflate too: <a href="https://rustsec.org/advisories/RUSTSEC-2019-0010.html" target="_blank" title="https://rustsec.org/advisories/RUSTSEC-2019-0010.html">https://rustsec.org/advisories/RUSTSEC-2019-0010.html</a> and it's fixed by using <code>take_mut</code> crate instead of uninitialized memory.</p>



<a name="171335936"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171335936" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171335936">(Jul 20 2019 at 17:41)</a>:</h4>
<blockquote>
<p>The issue was discovered and fixed by Shnatsel.</p>
</blockquote>
<p>This is weird to see in an advisory for some reason.</p>



<a name="171338985"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171338985" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171338985">(Jul 20 2019 at 19:13)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> thanks. The relevant discussion is here</p>



<a name="171338986"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171338986" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171338986">(Jul 20 2019 at 19:13)</a>:</h4>
<p>(deleted)</p>



<a name="171338990"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171338990" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171338990">(Jul 20 2019 at 19:13)</a>:</h4>
<p>Wait</p>



<a name="171338993"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171338993" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171338993">(Jul 20 2019 at 19:13)</a>:</h4>
<p><a href="https://github.com/sodiumoxide/sodiumoxide/pull/350" target="_blank" title="https://github.com/sodiumoxide/sodiumoxide/pull/350">https://github.com/sodiumoxide/sodiumoxide/pull/350</a></p>



<a name="171339045"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339045" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339045">(Jul 20 2019 at 19:15)</a>:</h4>
<p>There is nothing in there saying it's exploitable though</p>



<a name="171339122"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339122" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339122">(Jul 20 2019 at 19:17)</a>:</h4>
<p>Yes it may not be. But we are taking the safe option and replacing rather than depending on a deprecated function</p>



<a name="171339124"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339124" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339124">(Jul 20 2019 at 19:17)</a>:</h4>
<p>This function is not yet deprecated and won't be until 1.40, so I don't see an immediate problem.</p>



<a name="171339164"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339164" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339164">(Jul 20 2019 at 19:18)</a>:</h4>
<p>it's deprecated with 1.39</p>



<a name="171339167"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339167" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339167">(Jul 20 2019 at 19:18)</a>:</h4>
<p>and the only reason we are waiting is to give people time to migrate</p>



<a name="171339172"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339172" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339172">(Jul 20 2019 at 19:18)</a>:</h4>
<p>Huh. With Debian Stable shipping 1.34 and Ubuntu shipping 1.32, I'd expect people will need <em>way</em> more time to migrate.</p>



<a name="171339174"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339174" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339174">(Jul 20 2019 at 19:18)</a>:</h4>
<p>but yeah, mem::uninitialized has been broken since forever, it's just with 1.36 now there is finally a fix -- but it requires bumping the minimal Rust version</p>



<a name="171339180"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339180" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339180">(Jul 20 2019 at 19:19)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> that makes me somewhat sad <span aria-label="cry" class="emoji emoji-1f622" role="img" title="cry">:cry:</span></p>



<a name="171339181"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339181" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339181">(Jul 20 2019 at 19:19)</a>:</h4>
<p>Thanks. Yeah which is 2-3 months later which goes well with our release plans</p>



<a name="171339185"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339185" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339185">(Jul 20 2019 at 19:19)</a>:</h4>
<p>I don't think there is any precedence for aligning deprecation schedule with distros? deprecating 3 versions in the future is our "cautious" deprecation, most of the time stuff just gets deprecated with some release ;)</p>



<a name="171339234"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339234" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339234">(Jul 20 2019 at 19:20)</a>:</h4>
<p>Yeah deprecations don't align with distro releases</p>



<a name="171339240"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339240" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339240">(Jul 20 2019 at 19:20)</a>:</h4>
<p>it's sad that debian and ubuntu have a pre-MaybeUninit rust, but then there are tons of reasons why using a 1-year-old Rust is a bad idea even if thats what your distro ships</p>



<a name="171339249"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339249" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339249">(Jul 20 2019 at 19:21)</a>:</h4>
<p>Ubuntu LTS actually updated to 1.32, despite being from April 2018... so there is hope</p>



<a name="171339252"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339252" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339252">(Jul 20 2019 at 19:21)</a>:</h4>
<p>so if they want to stick with that (as opposed to RedHat where I heard they will actually ship ever 2nd Rust release to their stable distro)... well bad for them I guess and someone should talk with them about that.</p>



<a name="171339292"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339292" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339292">(Jul 20 2019 at 19:22)</a>:</h4>
<p>We have got bitten by that before. Had to maintain 1.22.0 for a long time on another crate  because of fedora (till we bumped it to 1.32 when we switched to 2018 Ed)</p>



<a name="171339294"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339294" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339294">(Jul 20 2019 at 19:22)</a>:</h4>
<p>I mean if you are not affected by <a href="https://github.com/rust-lang/rust/issues/62825" target="_blank" title="https://github.com/rust-lang/rust/issues/62825">https://github.com/rust-lang/rust/issues/62825</a> there is no reason to do the switch to MaybeUninit now rather than in 2 or 3 releases, I guess</p>



<a name="171339297"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339297" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339297">(Jul 20 2019 at 19:22)</a>:</h4>
<p><code>miniz_oxide</code> also has a hypothetical safety improvement if bumped to 1.34 as minimum version thanks to <code>u32::from_le_bytes()</code> and <code>try_into()</code>, but it has so many checks around it already so I'm not really worried</p>



<a name="171339302"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339302" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339302">(Jul 20 2019 at 19:22)</a>:</h4>
<p>for production applications we're primarily CentOS users. We source Rust from the Fedora repos, but the Fedora Rust people are amazing and usually turn around new RPMs for each Rust release in less than a week</p>



<a name="171339311"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339311" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339311">(Jul 20 2019 at 19:23)</a>:</h4>
<p>Debian/Ubuntu people do not seem to be quite as enthusiastic about Rust...</p>



<a name="171339318"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339318" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339318">(Jul 20 2019 at 19:23)</a>:</h4>
<p>RHEL also has aggressive about their update policy, with 3-month syncs</p>



<a name="171339358"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339358" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339358">(Jul 20 2019 at 19:24)</a>:</h4>
<p>Yeah Ralf, but it will most likely be a while before we create a new release so it is fine</p>



<a name="171339368"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339368" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339368">(Jul 20 2019 at 19:24)</a>:</h4>
<p>RedHat is also actually using Rust in some of their tools (e.g. <code>rpm-ostree</code>), whereas I see Debian people talking about dropping support for projects which are migrating to Rust because they don't want to deal with building them <span aria-label="cry" class="emoji emoji-1f622" role="img" title="cry">:cry:</span></p>



<a name="171339370"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339370" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339370">(Jul 20 2019 at 19:24)</a>:</h4>
<p>I believe Ubuntu actually updates Rust after the distro release, which is basically unprecedented. The only other packages to do that other than rustc are Firefox and Chromium.</p>



<a name="171339371"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339371" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339371">(Jul 20 2019 at 19:24)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> neat</p>



<a name="171339378"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339378" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339378">(Jul 20 2019 at 19:25)</a>:</h4>
<p>Tony there is some talk going on with having an Ubuntu snap. Details aren't public yet iirc</p>



<a name="171339385"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339385" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339385">(Jul 20 2019 at 19:25)</a>:</h4>
<p>nice</p>



<a name="171339387"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339387" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339387">(Jul 20 2019 at 19:25)</a>:</h4>
<p>oh WOW they're on 1.35 already!</p>



<a name="171339389"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339389" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339389">(Jul 20 2019 at 19:25)</a>:</h4>
<p><span aria-label="tada" class="emoji emoji-1f389" role="img" title="tada">:tada:</span></p>



<a name="171339391"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339391" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339391">(Jul 20 2019 at 19:25)</a>:</h4>
<p>that's good, because a bunch of my crates are 1.35 minimum now</p>



<a name="171339393"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339393" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339393">(Jul 20 2019 at 19:26)</a>:</h4>
<p>1.35 because it's apparently a security update?</p>



<a name="171339433"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339433" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339433">(Jul 20 2019 at 19:26)</a>:</h4>
<p>aah</p>



<a name="171339434"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339434" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339434">(Jul 20 2019 at 19:26)</a>:</h4>
<p>What security update?</p>



<a name="171339497"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339497" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339497">(Jul 20 2019 at 19:28)</a>:</h4>
<p>IDK, it comes from the security updates repo but there is nothing about it on Ubuntu Security Notices</p>



<a name="171339502"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339502" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339502">(Jul 20 2019 at 19:28)</a>:</h4>
<p>The latest CVE I've filed was <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010299" target="_blank" title="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010299">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010299</a></p>



<a name="171339562"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339562" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339562">(Jul 20 2019 at 19:30)</a>:</h4>
<p><a href="https://www.cvedetails.com/vulnerability-search.php?f=1&amp;vendor=&amp;product=Rust%2C+&amp;cveid=&amp;msid=&amp;bidno=&amp;cweid=&amp;cvssscoremin=&amp;cvssscoremax=&amp;psy=&amp;psm=&amp;pey=&amp;pem=&amp;usy=&amp;usm=&amp;uey=&amp;uem=" target="_blank" title="https://www.cvedetails.com/vulnerability-search.php?f=1&amp;vendor=&amp;product=Rust%2C+&amp;cveid=&amp;msid=&amp;bidno=&amp;cweid=&amp;cvssscoremin=&amp;cvssscoremax=&amp;psy=&amp;psm=&amp;pey=&amp;pem=&amp;usy=&amp;usm=&amp;uey=&amp;uem=">https://www.cvedetails.com/vulnerability-search.php?f=1&amp;vendor=&amp;product=Rust%2C+&amp;cveid=&amp;msid=&amp;bidno=&amp;cweid=&amp;cvssscoremin=&amp;cvssscoremax=&amp;psy=&amp;psm=&amp;pey=&amp;pem=&amp;usy=&amp;usm=&amp;uey=&amp;uem=</a> - nothing here for 1.32 that they shipped previously. Oh well. Good thing it's up to date though!</p>



<a name="171339767"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171339767" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171339767">(Jul 20 2019 at 19:36)</a>:</h4>
<p>Thanks for the help :)</p>



<a name="171340199"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171340199" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171340199">(Jul 20 2019 at 19:49)</a>:</h4>
<p>Any idea where I can browse the current package versions for RHEL/CentOS? I know of <a href="https://packages.ubuntu.com/" target="_blank" title="https://packages.ubuntu.com/">https://packages.ubuntu.com/</a> and <a href="https://www.debian.org/distrib/packages" target="_blank" title="https://www.debian.org/distrib/packages">https://www.debian.org/distrib/packages</a> but nothing equivalent for RHEL</p>



<a name="171342779"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171342779" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171342779">(Jul 20 2019 at 21:10)</a>:</h4>
<p>I might be a bit silly but if I'm trying to find things via the web as opposed to using the <code>yum</code>/<code>dnf</code> CLI tools, here's how I typically do it: <a href="http://mirror.centos.org/centos/7/os/x86_64/" target="_blank" title="http://mirror.centos.org/centos/7/os/x86_64/">http://mirror.centos.org/centos/7/os/x86_64/</a></p>



<a name="171342780"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171342780" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171342780">(Jul 20 2019 at 21:10)</a>:</h4>
<p>that's not the yum repo I source Rust from, though</p>



<a name="171342838"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171342838" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171342838">(Jul 20 2019 at 21:12)</a>:</h4>
<p>we install Rust from EPEL, which is repackaged from the Fedora Rust builds</p>



<a name="171342845"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171342845" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171342845">(Jul 20 2019 at 21:12)</a>:</h4>
<p>we try to minimize use of EPEL and it's not enabled per default, but I think Rust is a great example of it working</p>



<a name="171342850"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171342850" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171342850">(Jul 20 2019 at 21:13)</a>:</h4>
<p>also the Fedora Rust team seems amazing</p>



<a name="171342903"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Threshold%20for%20%22vulnerability%22/near/171342903" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Threshold.20for.20.22vulnerability.22.html#171342903">(Jul 20 2019 at 21:14)</a>:</h4>
<p>RedHat seems to be quite interested in Rust, especially for things like building out Project Atomic</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>